Welcome to our data protection bulletin, covering the key developments in data protection law from March 2020.
Data protection
Cyber security
Enforcement
Data protection
The ICO has issued guidance on particular issues facing businesses when managing their data protection obligations during the Covid-19 pandemic. We have summarised some of the key take-away points below:
- Response times and information governance: The ICO has given reassurance that it will not penalise organisations that the ICO knows need to prioritise other areas or adapt their usual approach during the pandemic. It says that it understands that businesses may not be able to meet the same standard of response times to information rights requests. The ICO says that it is unable to extend statutory timescales but it will advise third parties, where possible, that they may experience understandable delays when making requests during the pandemic.
- Homeworking and security measures: Data protection law does not prevent staff from using their own device or communications equipment in their own homes. Businesses will need to consider the same kinds of security measures for homeworking that one would use in normal circumstances. The National Cyber Security Centre has published guidance on how to prepare for an increase in home and remote working. Recommendations include producing “How do I?” guides for employees, ensuring devices are encrypted in case of them being stolen or lost, providing necessary training and tips on how to spot coronavirus email scams.
- Disclosing to staff that a colleague may have contracted Covid-19: The ICO says data protection law is not a barrier to keeping staff informed about any confirmed or potential cases within your organisation. The ICO stresses that it is unlikely to be necessary to name individuals and you should not give more information than is needed. Businesses have an obligation to ensure the health and safety of their employees, as well as a duty of care and data protection laws will not prevent businesses from meeting those obligations.
- Public health messages: The ICO states that the government, NHS or health professionals may send public health messages to people by phone, text or email and these will not constitute direct marketing.
The EDPB has issued a statement which emphasises that: “Data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic … even in these exceptional times, the data controller must ensure the protection of the personal data of data subjects.”
The statement outlines that possible grounds for processing personal data in the context of epidemics are when it is necessary for reasons of public interest in the area of public health, to protect vital interests or to comply with a legal obligation such as to ensure employees’ health and safety.
The guidance also emphasises that mobile location data may only be used by the operator to combat coronavirus when it is made anonymous or with the consent of the individuals. Where it is not possible to only process anonymous data, the EDPB leaves open the possibility of such processing being lawful under national law which implements the ePrivacy Directive (the “Directive”). Art.15 of the Directive enables Member States to introduce legislative measures pursuing national security and public security on the understanding such measures constitute a necessary and proportionate measure. If such emergency legislation were introduced, it would require the Member State to put in place adequate safeguards such as granting individuals the right to judicial remedy.
The UK government has published an explanatory framework as part of its attempt to obtain an adequacy decision from the European Commission by the end of 2020, following the UK’s departure from the European Union. An adequacy decision permits a cross-border data transfer across the EU or onward transfer from or to a party outside the EU without further authorisation from a national supervisory authority. The explanatory framework sets out in detail how the government considers that the UK meets the Commission’s criteria for adequacy, and as such is a positive step towards securing an adequacy decision by the end of the transition period.
In Scott v LGBT Foundation Ltd [2020] EWHC 483 (QB), the High Court rejected a claim that the LGBT Foundation (“LGBT”) had breached the claimant’s data protection, confidentiality and privacy rights by disclosing information about him in a telephone conversation with his GP due to concerns about his welfare. The information concerned the claimant being at risk of suicide or other substantial self-harm. In relation to a claim that this breached the Data Protection Act 1998, the High Court held that data protection law did not apply, since the relevant information about the claimant had been disclosed verbally only, and had not been recorded. It was also held that the disclosure would in any event have met the processing condition that it was necessary to protect the vital interests of the claimant, because he was considered to be at material risk of self-harm. This judgment serves as a useful reminder that purely verbal communications do not constitute “data” for the purpose of data protection legislation.
In Dawson-Damer v Taylor Wessing LLP [2020] EWCA Civ 352, the Court of Appeal issued further guidance on the extent of a data controller's obligation to search for paper files. In this case, the claimants (beneficiaries under a Bahamian trust) served Data Subject Access Requests on Taylor Wessing, the English solicitor to the Bahamian trustee of the trust. It declined to provide the information requested, arguing, amongst other things that, papers which were filed in chronological order did not amount to a "relevant filing system" for the purposes of section 1(1) of the Data Protection Act 1998 (the “DPA 1998”).
The Court of Appeal held that, because every page of the papers would need to be manually reviewed by a trainee and an associate to extract personal information, the papers were not "readily accessible" and hence they were not a "relevant filing system". In coming to this decision, the Court of Appeal considered the ICO's “temp test” (whether a temporary administrative assistant, with no prior background knowledge, would be able to extract specific information on the individual from the manual records) to be a useful rule of thumb.
A key takeaway is that whether a set of document is "readily accessible" is a fact-specific matter. It would be interesting to find out if the Court of Appeal's decision would be different had the documents be stored in a searchable database on Taylor Wessing's computer system.
In Reid v Price [2020] EWHC 594 (QB), Warby J provided guidance on the approach to calculating damages for data protection claims.
This case concerns two celebrities – the claimant was a cage fighter who won Celebrity Big Brother, while the defendant was a former model. While dating between October 2009 and June 2010, the defendant “obtained video recordings and photographs of the claimant engaging in sexual activity.”
As part of subsequent divorce negotiations around September 2011, the defendant undertook to the claimant that she would not publish or disclose those videos and photographs except in certain specified and limited circumstances.
However, it became apparent that the defendant had breached the undertaking and, in 2017, the claimant issued proceedings. The claimant alleged that the defendant had disclosed the videos and photographs to at least 50 third parties between 2012 and 2018.
In assessing damages, Warby J emphasised that there is no "material difference between the approach to be taken to the claims in confidentiality, misuse of private information, and breach of statutory duty [i.e. claims for breaches of data protection legislation]." He elaborated by saying that the aim is to compensate the claimant for "the wrongful retention and wrongful disclosure" of the videos and photographs and that in assessing such damages: "it will be legitimate to pay some attention to the current level of personal injury awards". He also noted that, in line with the Court of Appeal's judgment in Lloyd v Google LLC [2019] EWCA Civ 1599: "in…data protection claims, damages may be awarded for loss of autonomy or loss of control; the nature of the information disclosed and the degree of loss of control should bear on this aspect of the court's assessment of damages – the more intimate the information and the more extensive the disclosure, the greater the award."
As a result, Warby J was prepared to award damages of more than £25,000 but was limited to that amount as the claimant's Claim Form stated that his claim "is limited to £25,000."
Cyber security
Amidst the global panic over Coronavirus, a new wave of scams and cyber-attacks have arisen to add to the frenzy. An online security company, noted that fraudsters have capitalised on the pandemic by adapting phishing emails to trip up the vulnerable with, for example, promises of tax refunds from HMRC. The emails and texts contain a link that directs the recipients to a fake website bearing an HMRC logo claiming that as a precaution against Covid-19, the government has established a new tax refund programme for dealing with the coronavirus outbreak and requesting individuals’ bank card numbers and other personal information that could enable fraudulent transactions to be made, including their name, address, phone number and mother’s maiden name.
Readers are reminded to be vigilant and to avoid clicking on links or opening documents that look suspicious.
Boots has had to suspend payments using the Advantage Card, its loyalty points card, after it identified attempts to break into its customers' accounts using passwords stolen from other sites. Boots has clarified that its systems were not compromised. Additionally, credit card information of the 1% of the affected card-users were not accessed, according to Boots.
This incident occurred days after a similar issue affected 600,000 Tesco Clubcard users.
Epiq Global provides integrated technology, consultative and administrative services to the legal industry. Epiq confirmed on 3 March 2020 that it was hit by a ransomware attack on 29 February 2020. As a result, Epiq "immediately took [their] systems offline globally to contain the threat and began working with a third-party forensic firm to conduct an independent investigation." According to Epiq, "no client data has been accessed, misused or extracted" following its investigation. As of 16 March 2020, Epiq has restored access to over 60% of its client facing systems and will continue to restore access to its services.
The full Q&A published by Epiq can be found here.
Virgin Media admitted that the personal details of 900,000 customers stored on a database for marketing purposes were unsecured and accessible for 10 months. It also confirmed that the information was accessed on at least one occasion by an unknown user. Personal details that were accessible included phone numbers, home addresses and email addresses. Crucially, neither "passwords [nor] financial details, such as credit card information or bank account numbers," were reported to be part of the accessible information.
Virgin Media has notified the ICO who has launched an investigation.
O2's UK partner, Aerial Direct, notified its customers that an unauthorised third party had been able to access customer data on 26 February 2020, including names, dates of birth, addresses and phone numbers. In a statement echoing that released by Virgin Media in relation to the data breach referred to above, Aerial Direct confirmed that "the database did not include any passwords or financial details, such as bank account number or credit card information."
Aerial Direct has reported the data breach to the ICO.
Network Rail and service provider, C3UK, left a database containing 146 million records which included personal contact details and dates of birth on an unsecured Amazon web services storage platform. The data subjects were those who used free Wi-Fi at UK railway stations. The database was not password protected. C3UK said it had chosen not to inform the ICO because the data had not been stolen or accessed by another party. Network Rail confirmed that it would contact the ICO to explain its position and also inform them that they had strongly suggested that C3UK report the incident.
In a plenary session on 20 February 2020, the EDPB, which is in charge of applying the GDPR across the European Union, ordered Google to conduct "a full assessment of the data protection requirements and privacy implications" of its intended acquisition of Fitbit. It added that the EDPB will itself consider any implications of the acquisition on personal data protection in the EEA. The UK's ICO and US Department of Justice are similarly looking into privacy concerns surrounding the intended acquisition. The main concern is centred on how Google will "combine and accumulate" sensitive health and wellness data Fitbit collects from users.
Enforcement
The Italian Data Protection Authority (the Garante per la protezione dei dati personali) fined TIM S.p.A, Italy's largest telecommunications service provider, €27,802,946 for unlawful processing of data for marketing purposes. This is the largest fine issued in Italy since the GDPR came into force. Specifically, the Italian Data Protection Authority had received hundreds of complaints from January 2017 to early 2019 alleging that call centres acting on behalf of TIM S.p.A had performed unsolicited marketing calls without customers' consent. Subsequently, investigations carried out with the assistance of the Italian Financial Police revealed several breaches of Italian personal data protection legislation.
The ICO has issued a Monetary Penalty Notice of £500,000 against Cathay Pacific Airway Limited, the maximum fine available under the Data Protection Act 1998, for breaching Principle 7 of the Data Protection Act 1998.
The ICO’s investigation found that Cathay Pacific’s computer systems lacked appropriate security measures, meaning that approximately 9.4 million customers’ personal data (including names, passport and identity details, dates of birth, postal and e-mail addresses, phone numbers and historical travel information) was left exposed. These customers included 111,578 based in the UK. Amongst other things, the lack of security measures included back-up files not being password protected, unpatched internet-facing servers, use of operating systems that were no longer supported by the developer and inadequate anti-virus protection. The ICO did, however, note that Cathay Pacific was at least prompt in seeking expert assistance from a cybersecurity firm and issued appropriate information to affected data subjects.
The ICO noted: “This breach was particularly concerning given the number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers. The multiple serious deficiencies we found fell well below the standard expected. At its most basic, the airline failed to satisfy four out of five of the National Cyber Security Centre’s basic Cyber Essentials guidance.”
It is sobering to note that had the data breach occurred after the General Data Protection Regulation (the “GDPR”) came into force, the potential fine could have been up to approximately £470 million (being 4% of Cathay Pacific’s annual global turnover).
The ICO and the Office of the Australian Information Commissioner announced on 5 March 2020 that they have signed a Memorandum of Understanding (the "MoU"). James Dipple-Johnstone, the ICO Deputy Commissioner, noted that data protection "has an increasingly international dimension…so the UK needs a regulator with global reach and influence."
The Memorandum sets out both organisations' intention to work together to protect personal data through cooperation and sharing experience, expertise and intelligence.
Under section 165 of the DPA 2018, a data subject may lodge a complaint to the ICO if they consider that, in connection with personal data relating to them, there is an infringement of the GDPR. If a complaint is lodged under section 165, section 166 of the DPA 2018 permits the First-Tier Tribunal, upon an application by the data subject, to make an order requiring the ICO to respond to or inform the data subject on the progress or outcome of the complaint within a specified period.
The Upper Tribunal's judgment in Leighton v Information Commissioner (No.2) [2020] UKUT 23 (AAC) confirms that appeals under section 166 of the DPA 2018 are merely procedural and that this provision does not provide affected data subjects with "a right of appeal against the substantive outcome of an investigation" to which their section 165 complaint relates.